Ranger policy condition macros
Apache Ranger policy macros provide pre-defined JavaScript functions to evaluate tag, user, group, role, and time-based attributes during access requests. Use these macros to simplify the creation of dynamic, context-aware policy conditions without manual string manipulation or complex custom coding.
| Macro | Expands to | JavaScript usage example | Description | Example return |
|---|---|---|---|---|
| GET_TAG_NAMES() | ctx.tagNames | ctx.tagNames() | Get all tag names as CSV | "PII,FINANCE" |
| GET_TAG_NAMES_Q() | ctx.tagNamesQ | ctx.tagNamesQ() | Get all tag names as quoted CSV | "'PII','FINANCE'" |
| GET_TAG_ATTR_NAMES() | ctx.tagAttrNames | ctx.tagAttrNames() | Get all tag attribute names as CSV | "level,type,owner" |
| GET_TAG_ATTR_NAMES_Q() | ctx.tagAttrNamesQ | ctx.tagAttrNamesQ() | Get all tag attribute names as quoted CSV | "'level','type','owner'" |
| GET_TAG_ATTR('attrName') | ctx.tagAttr | ctx.tagAttr('sensitiveLevel') | Get attribute values from all tags as CSV | "10,5" |
| GET_TAG_ATTR_Q('attrName') | ctx.tagAttrQ | ctx.tagAttrQ('sensitiveLevel') | Get attribute values from all tags as quoted CSV | "'10','5'" |
| GET_TAG_ATTR_CSV('attrName') | ctx.tagAttrCsv | ctx.tagAttrCsv('owner') | Get attribute values as CSV (alias) | "john,mary" |
| GET_TAG_ATTR_Q_CSV('attrName') | ctx.tagAttrCsvQ | ctx.tagAttrCsvQ('classification') | Get attribute values as quoted CSV (alias) | "'confidential','public'" |
| TAG_ATTR_NAMES_CSV | ctx.tagAttrNamesCsv() | ctx.tagAttrNamesCsv() | Get tag attribute names as CSV | "level,type,owner" |
| TAG_ATTR_NAMES_Q_CSV | ctx.tagAttrNamesCsvQ() | ctx.tagAttrNamesCsvQ() | Get tag attribute names as quoted CSV | "'level','type','owner'" |
| TAG_NAMES_CSV | ctx.tagNamesCsv() | ctx.tagNamesCsv() | Get tag names as CSV | "PII,FINANCE" |
| TAG_NAMES_Q_CSV | ctx.tagNamesCsvQ() | ctx.tagNamesCsvQ() | Get tag names as quoted CSV | "'PII','FINANCE'" |
| HAS_TAG('tagName') | ctx.hasTag | ctx.hasTag('PII') | Check if resource has specific tag | true/false |
| HAS_ANY_TAG | ctx.hasAnyTag() | ctx.hasAnyTag() | Check if resource has any tags | true/false |
| HAS_NO_TAG | !ctx.hasAnyTag() | !ctx.hasAnyTag() | Check if resource has no tags | true/false |
| HAS_TAG_ATTR('attrName') | ctx.hasTagAttr | ctx.hasTagAttr('sensitiveLevel') | Check if any tag has specific attribute | true/false |
JavaScript usage
example:
|
||||
| Macro | Expands to | JavaScript usage example | Description | Example return |
|---|---|---|---|---|
| GET_USER_ATTR_NAMES() | ctx.userAttrNames | ctx.userAttrNames() | Get all user attribute names as CSV | "dept,level,state" |
| GET_USER_ATTR_NAMES_Q() | ctx.userAttrNamesQ | ctx.userAttrNamesQ() | Get all user attribute names as quoted CSV | "'dept','level','state'" |
| GET_USER_ATTR('attrName') | ctx.userAttr | ctx.userAttr('clearanceLevel') | Get user attribute value | "10" |
| GET_USER_ATTR_Q('attrName') | ctx.userAttrQ | ctx.userAttrQ('department') | Get user attribute value with quotes | "'FINANCE'" |
| USER_ATTR_NAMES_CSV | ctx.userAttrNamesCsv() | ctx.userAttrNamesCsv() | Get user attribute names as CSV | "dept,level,state" |
| USER_ATTR_NAMES_Q_CSV | ctx.userAttrNamesCsvQ() | ctx.userAttrNamesCsvQ() | Get user attribute names as quoted CSV | "'dept','level','state'" |
| HAS_USER_ATTR('attrName') | ctx.hasUserAttr | ctx.hasUserAttr('clearanceLevel') | Check if user has specific attribute | true/false |
JavaScript usage
example:
|
||||
| Macro | Expands to | JavaScript usage example | Description | Example return |
|---|---|---|---|---|
| GET_UG_NAMES() | ctx.ugNames | ctx.ugNames() | Get user's group names as CSV | "admins,finance" |
| GET_UG_NAMES_Q() | ctx.ugNamesQ | ctx.ugNamesQ() | Get user's group names as quoted CSV | "'admins','finance'" |
| GET_UG_ATTR_NAMES() | ctx.ugAttrNames | ctx.ugAttrNames() | Get all group attribute names as CSV | "dept,site,level" |
| GET_UG_ATTR_NAMES_Q() | ctx.ugAttrNamesQ | ctx.ugAttrNamesQ() | Get all group attribute names as quoted CSV | "'dept','site','level'" |
| GET_UG_ATTR('attrName') | ctx.ugAttr | ctx.ugAttr('department') | Get group attribute values as CSV | "FINANCE,SALES" |
| GET_UG_ATTR_Q('attrName') | ctx.ugAttrQ | ctx.ugAttrQ('location') | Get group attribute values as quoted CSV | "'NY','CA'" |
| GET_UG_ATTR_CSV('attrName') | ctx.ugAttrCsv | ctx.ugAttrCsv('costCenter') | Get group attribute values as CSV (alias) | "CC001,CC002" |
| GET_UG_ATTR_Q_CSV('attrName') | ctx.ugAttrCsvQ | ctx.ugAttrCsvQ('region') | Get group attribute values as quoted CSV (alias) | "'East','West'" |
| UG_NAMES_CSV | ctx.ugNamesCsv() | ctx.ugNamesCsv() | Get group names as CSV | "admins,finance" |
| UG_NAMES_Q_CSV | ctx.ugNamesCsvQ() | ctx.ugNamesCsvQ() | Get group names as quoted CSV | "'admins','finance'" |
| UG_ATTR_NAMES_CSV | ctx.ugAttrNamesCsv() | ctx.ugAttrNamesCsv() | Get group attribute names as CSV | "dept,site,level" |
| UG_ATTR_NAMES_Q_CSV | ctx.ugAttrNamesCsvQ() | ctx.ugAttrNamesCsvQ() | Get group attribute names as quoted CSV | "'dept','site','level'" |
| IS_IN_GROUP('groupName') | ctx.isInGroup | ctx.isInGroup('finance') | Check if user is in specific group | true/false |
| IS_IN_ANY_GROUP | ctx.isInAnyGroup() | ctx.isInAnyGroup() | Check if user is in any group | true/false |
| IS_NOT_IN_ANY_GROUP | !ctx.isInAnyGroup() | !ctx.isInAnyGroup() | Check if user is not in any group | true/false |
| HAS_UG_ATTR('attrName') | ctx.hasUgAttr | ctx.hasUgAttr('department') | Check if user's groups have specific attribute | true/false |
JavaScript usage
example:
|
||||
| Macro | Expands to | JavaScript usage example | Description | Example return |
|---|---|---|---|---|
| GET_UR_NAMES() | ctx.urNames | ctx.urNames() | Get user's role names as CSV | "analyst,dba" |
| GET_UR_NAMES_Q() | ctx.urNamesQ | ctx.urNamesQ() | Get user's role names as quoted CSV | "'analyst','dba'" |
| UR_NAMES_CSV | ctx.urNamesCsv() | ctx.urNamesCsv() | Get role names as CSV | "analyst,dba" |
| UR_NAMES_Q_CSV | ctx.urNamesCsvQ() | ctx.urNamesCsvQ() | Get role names as quoted CSV | "'analyst','dba'" |
| IS_IN_ROLE('roleName') | ctx.isInRole | ctx.isInRole('data_scientist') | Check if user has specific role | true/false |
| IS_IN_ANY_ROLE | ctx.isInAnyRole() | ctx.isInAnyRole() | Check if user has any role | true/false |
| IS_NOT_IN_ANY_ROLE | !ctx.isInAnyRole() | !ctx.isInAnyRole() | Check if user has no roles | true/false |
JavaScript usage
example:
|
||||
| Macro | Expands to | JavaScript usage example | Description | Example return |
|---|---|---|---|---|
| IS_ACCESS_TIME_AFTER('dateTime') | ctx.isAccessTimeAfter |
ctx.isAccessTimeAfter('2020/01/01') ctx.isAccessTimeAfter('09:00') |
Check if access time is after specified time | IS_ACCESS_TIME_AFTER('2020/01/01') |
| IS_ACCESS_TIME_BEFORE('dateTime') | ctx.isAccessTimeBefore |
ctx.isAccessTimeBefore('2025/01/01') ctx.isAccessTimeBefore('18:00') |
Check if access time is before specified time |
IS_ACCESS_TIME_BEFORE('2025/01/01') |
| IS_ACCESS_TIME_BETWEEN('from','to') | ctx.isAccessTimeBetween |
ctx.isAccessTimeBetween('09:00','17:00') ctx.isAccessTimeBetween('2023/01/01','2023/12/31') |
Check if access time is within range | IS_ACCESS_TIME_BETWEEN('09:00','17:00') |
JavaScript usage
example:
|
||||
Combined conditions
JavaScript usage example
HAS_TAG('SENSITIVE') && IS_IN_GROUP('privileged-users') && GET_USER_ATTR('clearanceLevel') >= GET_TAG_ATTR('sensitiveLevel')Important notes
Qsuffix: Macros ending withQreturn values enclosed in single quotes.CSVsuffix: Macros ending withCSVreturn values separated by commas.- Parameter format: Macros that require parameters use parentheses, for example,
GET_TAG_ATTR('attrName'). - String parameter format: Always use single quotes for string parameters, such as
ctx.tagAttr('attributeName'). - Case sensitivity: Attribute names and values are case-sensitive.
- Boolean returns:
HAS_*andIS_*macros returntrue/false. - Boolean logic: Combine conditions using
&&,||, and!for complex conditions. - Multiple values: If multiple tags or groups share the same attribute, the returned values are comma-separated.
- Array operations: To convert CSV values into arrays for advanced processing, use
.split(','). - Type conversion: For numeric comparisons, apply
parseInt()orNumber().
Best practices
- Ensure that the JavaScript conditions are straightforward and easy to test.
- Apply
ctx.result=falseto deny access andctx.result=trueto allow access, based on the specific condition type. - Use macros and attributes to reduce hardcoding of values.
- Refrain from using intricate nested logic unless absolutely required.
